How to Secure Your Mac From Potential Theft

My residence was recently broken into (the alarm malfunctioned on entry and only went off as the thieves left) and two Mac laptops were taken. Luckily, I have good insurance and had an up to date Time Machine backup.

Over the past week, I’ve learned some additional things I could have done to prepare for this eventuality. My house had also been broken into ten years ago.

Here’s a summary of what you should do to prepare your Macs right now for the possibility of theft. It won’t eliminate theft but it will greatly reduce the damage from such events and make it more likely that your device will return to you.

1. Use a Password Manager. I’m a longtime user and strong advocate for 1Password. I like that it also allows me to store secure notes. 1Password makes it easy to avoid the habit of re-using passwords amongst multiple sites. It also syncs passwords across multiple Macs, iPhones, iPads et al. If instead you do not use a password-based login for your Mac and save all your passwords in your browser, a thief would very quickly be able to login in to most all of your accounts.2. Turn on File Vault. File Vault encrypts your Mac’s hard drive and automatically turns off automatic login, requiring you provide a password to log in to your Mac. By turning off automated login, FileVault makes it more difficult for thieves to access your laptop data without your password. If they take your hard drive out of your Mac, they won’t be able to easily decrypt your personal data from another device. See System Preferences -> Security & Privacy -> FileVault. Store a copy of the File Vault encryption key somewhere safe – such as a secure note in 1Password.

FileVault also restricts the guest account you’ll set up below from accessing anything other than Safari to browse the web.

Update: See at bottom for more information about File Vault and theft recovery software.

3. Set a Firmware Password.This is critical. Setting a firmware password will prevent anyone from reformatting your hard drive without your password. This will also make it difficult for them to defeat anti-theft software we’ll describe below. Restart your Mac. When the grey screen appears, hold down Command-R. Once the Recover System app starts, open the Utilities menu and select Set Firmware Password. Save this password somewhere safe or in 1Password or you won’t ever be able to modify the lower level configuration of your Mac. Note: If you ever sell or give away your Mac, you’ll likely want to remove this password or change it to something simple you can share with the new owner.

4. Install Theft Recovery Software. The goal of theft recovery software is to get the Internet IP address of your laptop if the thief or eventual purchaser reconnects it to the Internet – I saw one statistic that said that 90% of stolen laptops reappear on the Internet within a few weeks. However, if you don’t set a firmware password – the hard drive can be easily reformatted – which will defeat these features. You can use your iCloud’s built-in Find My Mac capability (free) or purchase software such as Lojack For Laptops Standard $39 (annually), Orbicule’s Undercover (flat $49-$59 fee) or Prey (free or pro available) (also works for iPhones & iPads). The latter two surreptitiously photograph the thief using your computer. I don’t have a strong recommendation for any of these however it seems that the Lojack team has an active effort in collaboration with U.S.-based law enforcement. Sometimes victims of theft may get an IP address of their Mac but the police are not willing to respond to the data. Apparently, the Lojack team has success in getting police response to their software.

5. Create a Guest User Account. The purpose of the guest user account is to make it more likely that the thief or someone downstream will login in to your Mac on the Internet and allow the IP address to be determined by your theft recovery software. If you turned on File Vault, the guest user account will be limited to Safari web browsing and not able to see your local files. If you don’t leave a guest account and you activate FileVault and Firmware Passwords, then your Mac will essentially be a useless brick to the thief – and they might throw it away. The guest account moderately increases the likelihood someone will connect the device to the Internet.

6. Set up Time Machine. Apple’s Time Machine works quite well. Use it with an external hard drive or network-based Time Capsule. Using a network-based approach is advisable with laptops, as they can update their backups with Time Machine over wi-fi and don’t have to be physically connected to a hard drive. I had luckily made sure my Time Machine backup was up to date before I left to travel and within 12 hours, I had restored all my data to a new laptop. I didn’t have to do anything to reconfigure my new laptop – it was now identical to the configuration I’d had before.

7. Subscribe to a Cloud Based Backup Service. I’ve begun using Crash Plan ($60 annually) but many people use BackBlaze. I like Crash Plan because it makes it easier to backup external hard drives whereas BackBlaze has some restrictions on these. If the hard drive with my Time Machine backup is also stolen, all my data will be available in the cloud. Cloud-based backups are also useful in case of hard drive failures which are quite common as drives age several years.

9. Use Dropbox and Google Drive for Daily Work. Increasingly, I use Dropbox to synchronize my current work files across my Macs. This also provides a small, free cloud-based backup of stuff I’m working on. I also use Google Drive for more and more documents – which are all stored online. Dropbox, by the way, also tracks the IP address of your Mac, should a stolen one be reconnected to the Internet (See Settings -> Security -> Device list). A colleague also recommends BoxCryptor to remotely encrypt your cloud-based documents.

10. Set Login Screen Message. You can set a message on your login screen such as “Property of Joan Smith. Please contact me at …” which anyone with physical access to your Mac will see. It’s like a personalized software engraving for your Mac. See Preferences -> Security & Privacy -> General -> Show a message when the screen is locked.

There is conflicting information about whether use of File Vault 2 interferes with Theft Recovery Software. I’ve asked several vendors and honestly, all the information still conflicts – so you’ll have to experiment on your own.

The issue is whether or not the guest account that allows Safari login actually allows the theft recovery software to activate itself during this process – or not.

LoJack was very responsive and seems to say if installed correctly, that it works – but I’m skeptical.

There should be no problems with LoJack working work any encryption software, including FileVault 2. However, please be aware that if you are using encryption software on your device, you should fully decrypt the drive before installation of LoJack. Once the installation has been successful, you may re-encrypt the drive.

In all other regards, LoJack is fully compatible with FileVault 2.

With Mac devices, LoJack does not write to a boot sector, so the chances of corruption are non-existent. LoJack will write to certain system folders, and if the device is encrypted, these writes can sometimes fail to occur. When this happens, the installer will universally error out. For this reason, as a rule, we will always recommend decryption of a drive first, to ensure that the installation will run more smoothly and without errors.

Undercover which relies on the same software capabilities says the opposite:

Undercover is indeed unfortunately not compatible with FileVault 2 (Full Disk Encryption), as this will not allow the Mac to boot (only on the recovery partition, where Undercover cannot be installed), unless you know the password. As a result, no applications can be run without the password. This includes Undercover, and even Apple’s own Find My Mac software.

So basically you have to choose between protecting your data with FileVault or having a chance to recover your Mac. I’m sorry to say this, but this is how Apple has designed FileVault 2.

Jeff, in the early going I heard bad things about FileVault’s behavior — I can’t remember precisely what the issues were. Is it stable now? Does it slow down hard-drive performance?

http://wp.jeffreifman.com/consulting Jeff Reifman

I’ve not seen anything about problems with it. It’s been on my iMac for a long time – and my MacBook Air. Unfortunately, I hadn’t set it up on my MacBook Pro.

alarmclocktothestars

That was FileVault 1 (now called “legacy FileVault”). Since Lion, FileVault 2 (now just referred to as “FileVault”) is fantastic, with no noticeable performance hit.

mraybourne

Came here via Loop, and pleased to find that even as a “power” user there was still some things I didn’t know–namely, the firmware password. Great set of tips.

http://wp.jeffreifman.com/consulting Jeff Reifman

Thanks. I consider myself a power user as well – and was surprised not to have fully realized the value of these non-default features together.

I’m surprised Apple hasn’t made setting a firmware password a set up option – they probably want to avoid a bunch of hardware being bricked when people forget them.

http://www.gothick.org.uk Matt Gibson

One, more physical, precaution: most Macs and many external drives come with a Kensington lock point. My iMac and both my WD My Book and NetGear ReadyNAS boxes certainly have them, so they’re all anchored very securely to separate points on the wall by my desk. I’m sure it wouldn’t stop a determined thief, but it might make an opportunist decide to run off with other gadgets that have less crucial data on them, or at least leave you with a backup drive…

PNW Tom

The Macbook Pro Retina does not have a Kensington port, and every workaround I’ve seen is a kludge, unfortunately.

bobab

From what I understand, the firmware password and iCloud (find my mac/iphone) locks your logic board which prevents the thief from simply replacing replacing the hard drive as well as locking your mac from booting external volume (or internal optical drive). If you lose your pw, the only way to unlock the logic board is to bring it to apple so I would advice contacting apple if your laptop or idevices is lost or stollen. This only applies to 2010 and newer macs and iPhone/ipad (no fw on idevices but iCloud locks it to your account).

Orville Reddenbecker

Unfortunately, from personal experience, Apple does not look out for, or support finding stolen devices. Period. The best you can hope for is that the punk/loser that steals your Mac spends enough time on the guest account that you and the police can track it down. So far, no luck for me.

Erik

Hi Jeff,

I thought I’d share my setup, since it sounds like we have similar concerns.

The end result of my process is that you have an entire guest installation of OS X, which can autologin and get Prey running ASAP. Then you have your separate, encrypted main installation which is protected by Filevault2 and the firmware password.

Here’s what I did (loosely):

1) Create Mavericks USB Installer 2) Boot from USB installer, unlock all disks, disable encryption on all disks, and delete all partitions. 3) In Disk Utility, create a 20GB partition named Guest. Use the rest of the disk for a partition called Main. 4) Install OS X onto the Guest partition. 5) After installation, reboot to the USB drive again. 6) Install OS X onto the Main partition. 7) Once you’re booted into the Main volume, turn on FileVault2. 8) In System Preferences, change the startup disk to Guest. 9) Boot to the recovery partition and set a firmware password.

Now the following behavior is observed.

1) From power off, if you let the machine boot, it boots into the Guest install. Here you can put all sorts of tracking software, run an SSH server, automatically connect back to a VPN, etc.

2) From power off, if you hold Option, you’ll be asked for a firmware password. Providing it lets you choose where to boot from, which means you can boot from your Main partition. Of course, you’ll still need to enter your password to decrypt.

Unfortunately, this uses up a lot of space (20GB!) and it means you have two installations to take care of (updates.) But it seems to get you the best of both worlds–encryption, plus a reason for a thief to not just destroy the machine outright.

thegoodread

I am new to all this security stuff and wondered about an easier solution. Probably simple-minded might be a better description. Would it not be just as effective to use a very strong Administrator password, keep my passwords on Stickies and use FileVault 2 with a firmware password?